The hack dwarfs all previous breaches of the site and its affiliates
According to LeakedSource, 412 million personal accounts have been compromised across Adult FriendFinder, an online adult dating service, and its subsidiaries Penthouse.com, Stripshow, iCams, and one “unknown domain.”
The particular means of entry, via Local File Inclusion vulnerabilities, was actually flagged last month for the site. According to CSO, a hacker purported to have found problems in Friend Finder’s LFI that would “allow an attacker to include files located elsewhere on the server into the output of a given application.”
(Passwords were also posted, and given the breakdown of these, it would not be especially hard to try running down some random account to see if “123456,” “password,” and “qwerty” work.)
The company’s vice president, Diana Ballou, issued a statement saying, “Over the past several weeks, Friend Finder has received a number of reports regarding potential security vulnerabilities” and that, “Immediately upon learning this information, we took several steps to review the situation and bring in the right external partners to support our investigation.”
Adult FriendFinder was hacked last year as well, exposing the contact data of 3.9 million users, including birth dates and postal codes. With the information in the public domain, it was possible to locate real people by comparing this data with public records and social media. The hackers then are believed to have breached the database to secure email lists for spam, and then, subsequently, look for blackmail opportunities.
One of the more troubling things for users, notes LeakedSource, which initially released the news of the breach, is the prevalence of email addresses that read as “[email protected]@deleted1.com.” What this means is that at least a partial dataset still exists on the site, which would have been retaining the information probably as an anti-fraud measure in case of reactivation attempts.
This deletion policy was an issue raised in the 2015 hack, and apparently, not yet fully resolved at the time of this incident. It was also an issue with the Ashley Madison breach, which exposed 33 million users of the popular “cheating” web portal. Though the site did take down profiles, and charged a fee for a “full delete,” the process was not always complete. “Your GPS coordinates would not be removed, nor would your city, state, country, weight, height, date of birth, whether you smoke and/or like a drink, your gender, your ethnicity, what turns you on, and other bits and pieces” according to a review of the “full delete” option by The Register.
This policy put Ashely Madison, and other similar adult dating platforms, in a bind between the need to protection users’ privacy but also guard against fraud. As noted by Lexology, “the indefinite retention of personal information was excessive” in the Ashley Madison case, but, “the prevention of fraud was a reasonable basis for retaining information for a limited period after a full delete.” Australia and Canada, though, found these policies to be in violation of their own national privacy laws, both on the amount of data and length of time it was kept, because the site lacked sufficient safeguards.
No matter how much fake data people put down – lying about their age, for instance – there is always a chance some real data can be used to violate privacy, such as sexual preference, especially if the user is “in the closet” in other life settings. (Preferences were listed both in the Ashley Madison hack and the earlier 2015 Adult FriendFinder incident, but not this time around.) Whatever one thinks of the sites and services offered, users have a reasonable expectation of privacy when signing on. Also, it is worth remembering there is no guarantee they themselves actually signed up when their email appears: their information could have been falsely entered.
And, worst of all, it normalizes these leaks in the broadest sense. If it is Adult FriendFinder now, other databases tomorrow will be subject to ransom and, should they not pay it, absolute bedlam.